Lessons from Lockdown, a Risk Management perspective
The rapid shift to remote working at the start of the Covid-19 epidemic provided a unique test for risk management, both in terms of the potential for new and heightened risks, and with respect to how effectively controls and business processes operate in a changed environment.
The loss of a ‘physical’ working environment affected the more traditional methods used to operate controls and influence employee behaviour (such as those focused on ‘supervision’ and ‘reviews’).
Concerns for many in Financial Services, are likely to have focused initially on the resilience of the key processes and services that affect customers and clients, with a wary eye drawn to evolving Data and Cyber Security threats.
As lockdown(s) persisted, and many organisations demonstrated their resilience under remote working, priorities will have shifted increasingly towards employee morale and wellbeing.
Now, more than 18 months on from the first lockdown in the UK, there is an opportunity to look back and reflect on the lessons we can learn to support the evolution of risk management practices.
What have we seen?
A demonstration of resilience…
An analysis of the largest operational risk losses reported on ORX suggests that, at least from an operational risk perspective, there was limited impact from Covid-19 and the shift to remote working.
The largest losses disclosed on ORX over the past 12 months have primarily related to fines for ‘Inappropriate Market and Business Practices’ and / or ‘Suitability, Disclosure & Fiduciary’ failings. Whilst the fines were, in many cases, a consequence of historical issues and therefore not directly attributable to Covid-19 and remote working, they do raise questions over how effectively the risks have and will continue to be managed.
Financial pressures driven by an increasingly challenging economic environment, combined with a higher degree of physical separation inhibiting control have created a dangerous set of conditions that could incentivise and enable employees to commence or continue inappropriate means of conducting market and business practices.
Whilst the nature and causes of the top ORX losses provide little evidence to suggest a material increase in operational risk exposure, this conclusion will need to be countered by the fact that the full impact from Covid-19 will be hard to quantify. Accumulated ‘smaller’ losses, business disruption costs and other opportunity costs that likely occurred during this period will be difficult to calculate and identify from an operational risk perspective.
A focus on data and cyber risks…
The absence of major data and cyber related losses in Financial Services during this period has been a surprising positive, and suggests that:
- Investments to improve data and cyber security controls over recent years have proven successful.
- Data and cyber security controls were not materially weakened by remote working or reliant on a physical ‘office’ working environment.
The absence of major losses might, however, underplay the growth of data and cyber related risks that took place during this period. For example:
- According to UK Finance, a British record of £754 million was stolen by Fraudsters in the first six months of this year, up 30% from the same period in 2020, and up more than 60% from 2017.
- The US alone suffered an estimated 65,000 ransomware attacks in 2020, (Source, Financial Times).
- Major incidents did still occur at many non-FS organisations such as Twitch, Amazon’s live streaming platform, which suffered a notable data breach as a result of cyber-criminal activity.
So, whilst the shift to remote working may, in and of itself, not have significantly affected data and cyber risk exposure for FS organisations, it will nonetheless remain a top risk for all organisations to manage.
An increased focus on employees…
One of the more interesting developments over the past 18 months, has been the attitude shift from employees towards remote working.
Many employees have now embraced a remote or hybrid working model and are calling for its long-term adoption. In the UK at least, we have seen many fleeing the city for the tranquil benefits of countryside living. Whilst the rural escape and switch to remote working provided benefits to some, many others have craved the return to normal working life, thus creating a clearer divide in employees working preferences (often dictated or predicted by employee demographics).
The past 18 months have for many, been a period where mental and physical health and wellbeing have suffered, with remote working a potential negative factor. Organisations have had to adapt how they treat their employees to maintain morale and effectively manage their people risks.
Although the long-term impacts from Covid-19 are unclear, what has become apparent is the opportunity for employers to adapt and offer more flexible ways of working to its employees. The ability to reduce office overhead costs and attract and retain employees from a wider talent pool are all compelling cases for a more permanent shift to remote and hybrid ways of working.
Embracing a more permanent shift to hybrid and remote working, whilst proven as operationally effective and relatively low risk (at least in the short term), does create critical dependencies on Third Party software providers like Microsoft Teams and Zoom. Whilst this dependency is likely to already exist, the concentration risk around this small number of providers will create a new risk dynamic going forward.
The anticipated long-term shift to remote or hybrid working has also driven a regulatory reaction. In the UK, the FCA has responded by publishing its expectations for remote or hybrid working. Stating that ‘ultimately, it’s important any form of remote or hybrid working adopted should not risk or compromise the firm’s ability to follow all rules, regulatory standards and obligations, or lead to a failure to meet them.’ These ‘expectations’ will require action, both for organisations who fall short of them and / or for those who will face challenges in proving their ability to meet them.
Covid-19 and pro-longed periods of lockdown have proven far more devastating to organisations in other industries and the wider population. Lockdowns combined with accelerated retail branch closures has driven:
- An increase in the number of vulnerable customers, with more people out of work on long-term illness or unemployment and in a financially vulnerable position. This is an issue highlighted by the FCA in their ‘Financial Lives 2020 survey: the impact of coronavirus’
- A large drop in the number of customers coming into branches; reducing the number of face-to-face interactions important for selling appropriate products.
- Increased challenges in training new employees, enforcing normal business practices and discussing boundary cases.
These combined factors mean that conduct related risks will required continued and heightened focused in the future.
Covid-19 has accelerated, and for some forced, a long-term shift to hybrid ways of working. For the firms that have survived, the lockdowns demonstrated their ability to cope and operate effectively with employees working remotely. Nonetheless, firms will need to continue to invest in technologies that support risk management, strategically replacing controls that rely on face-to-face interactions.
With most of the largest losses coming from regulatory fines, how firms have treated their customers and clients over the past 18 months will be key drivers for future operational risk losses.
While FS organisations have shown that data and cyber risks can be controlled ‘remotely’, the threat continues to grow and evolve. FS organisations will need to keep pace with criminals and closely monitor any external weaknesses presented by their customers, clients, and other third-party providers.
Key items to address and questions to consider now (if not already actioned):
- Assess whether current products, business, and market practices (and those performed and offered over the past 18 months) are appropriate or a potential liability.
- Assess whether the FCA expectations for remote or hybrid working are met.
- Consider whether efforts to ‘survive’ the past 18 months have detracted from critical investment in other areas i.e., that may affect firm’s operational resilience? Is it therefore time to assess how things could be done more effectively and efficiently to ensure long term resilience?
- Consider how sustainable long term remote / hybrid working is for your organisation, both from a productivity and employee morale perspective. Note, there are mixed views on this subject, with potential benefits attainable, such as the ability to increase workforce diversity and inclusivity.
- Consider the Third-Party risk exposure generated by remote access and video conferencing software providers and develop a business continuity plan should one or more fail.